Generated docs from job=generate-docs branch=master [ci skip]

2024-07-24 02:17:35 +00:00
parent 3bc01cabb5
commit 2d3c1652a4
12 changed files with 243 additions and 3 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1608-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1611-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -340,6 +340,9 @@ defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry
 defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
 defense-evasion,T1112,Modify Registry,85,Abusing Windows TelemetryController Registry Key for Persistence,4469192c-2d2d-4a3a-9758-1f31d937a92b,command_prompt
 defense-evasion,T1112,Modify Registry,86,Modify RDP-Tcp Initial Program Registry Entry,c691cee2-8d17-4395-b22f-00644c7f1c2d,command_prompt
+defense-evasion,T1112,Modify Registry,87,Abusing MyComputer Disk Cleanup Path for Persistence,f2915249-4485-42e2-96b7-9bf34328d497,command_prompt
+defense-evasion,T1112,Modify Registry,88,Abusing MyComputer Disk Fragmentation Path for Persistence,3235aafe-b49d-451b-a1f1-d979fa65ddaf,command_prompt
+defense-evasion,T1112,Modify Registry,89,Abusing MyComputer Disk Backup Path for Persistence,599f3b5c-0323-44ed-bb63-4551623bf675,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -242,6 +242,9 @@ defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry
 defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
 defense-evasion,T1112,Modify Registry,85,Abusing Windows TelemetryController Registry Key for Persistence,4469192c-2d2d-4a3a-9758-1f31d937a92b,command_prompt
 defense-evasion,T1112,Modify Registry,86,Modify RDP-Tcp Initial Program Registry Entry,c691cee2-8d17-4395-b22f-00644c7f1c2d,command_prompt
+defense-evasion,T1112,Modify Registry,87,Abusing MyComputer Disk Cleanup Path for Persistence,f2915249-4485-42e2-96b7-9bf34328d497,command_prompt
+defense-evasion,T1112,Modify Registry,88,Abusing MyComputer Disk Fragmentation Path for Persistence,3235aafe-b49d-451b-a1f1-d979fa65ddaf,command_prompt
+defense-evasion,T1112,Modify Registry,89,Abusing MyComputer Disk Backup Path for Persistence,599f3b5c-0323-44ed-bb63-4551623bf675,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -413,6 +413,9 @@
  - Atomic Test #84: Modify UsePIN Registry entry [windows]
  - Atomic Test #85: Abusing Windows TelemetryController Registry Key for Persistence [windows]
  - Atomic Test #86: Modify RDP-Tcp Initial Program Registry Entry [windows]
+  - Atomic Test #87: Abusing MyComputer Disk Cleanup Path for Persistence [windows]
+  - Atomic Test #88: Abusing MyComputer Disk Fragmentation Path for Persistence [windows]
+  - Atomic Test #89: Abusing MyComputer Disk Backup Path for Persistence [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -301,6 +301,9 @@
  - Atomic Test #84: Modify UsePIN Registry entry [windows]
  - Atomic Test #85: Abusing Windows TelemetryController Registry Key for Persistence [windows]
  - Atomic Test #86: Modify RDP-Tcp Initial Program Registry Entry [windows]
+  - Atomic Test #87: Abusing MyComputer Disk Cleanup Path for Persistence [windows]
+  - Atomic Test #88: Abusing MyComputer Disk Fragmentation Path for Persistence [windows]
+  - Atomic Test #89: Abusing MyComputer Disk Backup Path for Persistence [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -14271,6 +14271,66 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Abusing MyComputer Disk Cleanup Path for Persistence
+      auto_generated_guid: f2915249-4485-42e2-96b7-9bf34328d497
+      description: 'Replacing the registry settings with custom executable will end
+        up with the replacement programs being executed at the time OS will decide
+        to kick off the respective activity
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath"
+          /t REG_EXPAND_SZ /d "%SystemRoot%\System32\cleanmgr.exe /D %c" /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Abusing MyComputer Disk Fragmentation Path for Persistence
+      auto_generated_guid: 3235aafe-b49d-451b-a1f1-d979fa65ddaf
+      description: 'Replacing the registry settings with custom executable will end
+        up with the replacement programs being executed at the time OS will decide
+        to kick off the respective activity
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\dfrgui.exe" /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Abusing MyComputer Disk Backup Path for Persistence
+      auto_generated_guid: 599f3b5c-0323-44ed-bb63-4551623bf675
+      description: 'Replacing the registry settings with custom executable will end
+        up with the replacement programs being executed at the time OS will decide
+        to kick off the respective activity
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath"
+          /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sdclt.exe" /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -11625,6 +11625,66 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Abusing MyComputer Disk Cleanup Path for Persistence
+      auto_generated_guid: f2915249-4485-42e2-96b7-9bf34328d497
+      description: 'Replacing the registry settings with custom executable will end
+        up with the replacement programs being executed at the time OS will decide
+        to kick off the respective activity
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath"
+          /t REG_EXPAND_SZ /d "%SystemRoot%\System32\cleanmgr.exe /D %c" /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Abusing MyComputer Disk Fragmentation Path for Persistence
+      auto_generated_guid: 3235aafe-b49d-451b-a1f1-d979fa65ddaf
+      description: 'Replacing the registry settings with custom executable will end
+        up with the replacement programs being executed at the time OS will decide
+        to kick off the respective activity
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\dfrgui.exe" /f
+
+          '
+        name: command_prompt
+        elevation_required: true
+    - name: Abusing MyComputer Disk Backup Path for Persistence
+      auto_generated_guid: 599f3b5c-0323-44ed-bb63-4551623bf675
+      description: 'Replacing the registry settings with custom executable will end
+        up with the replacement programs being executed at the time OS will decide
+        to kick off the respective activity
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath"
+          /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath"
+          /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sdclt.exe" /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -182,6 +182,12 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #86 - Modify RDP-Tcp Initial Program Registry Entry](#atomic-test-86---modify-rdp-tcp-initial-program-registry-entry)

+- [Atomic Test #87 - Abusing MyComputer Disk Cleanup Path for Persistence](#atomic-test-87---abusing-mycomputer-disk-cleanup-path-for-persistence)
+
+- [Atomic Test #88 - Abusing MyComputer Disk Fragmentation Path for Persistence](#atomic-test-88---abusing-mycomputer-disk-fragmentation-path-for-persistence)
+
+- [Atomic Test #89 - Abusing MyComputer Disk Backup Path for Persistence](#atomic-test-89---abusing-mycomputer-disk-backup-path-for-persistence)
+

 <br/>

@@ -3142,4 +3148,100 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-T



+<br/>
+<br/>
+
+## Atomic Test #87 - Abusing MyComputer Disk Cleanup Path for Persistence
+Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f2915249-4485-42e2-96b7-9bf34328d497
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath" /t REG_EXPAND_SZ /d "%SystemRoot%\System32\cleanmgr.exe /D %c" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #88 - Abusing MyComputer Disk Fragmentation Path for Persistence
+Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3235aafe-b49d-451b-a1f1-d979fa65ddaf
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\dfrgui.exe" /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #89 - Abusing MyComputer Disk Backup Path for Persistence
+Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 599f3b5c-0323-44ed-bb63-4551623bf675
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%systemroot%\system32\notepad.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath" /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sdclt.exe" /f
+```
+
+
+
+
+
 <br/>
@@ -1319,6 +1319,7 @@ atomic_tests:
    elevation_required: true

 - name: Abusing MyComputer Disk Cleanup Path for Persistence
+  auto_generated_guid: f2915249-4485-42e2-96b7-9bf34328d497
  description: |
    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
  supported_platforms:
@@ -1331,6 +1332,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Abusing MyComputer Disk Fragmentation Path for Persistence
+  auto_generated_guid: 3235aafe-b49d-451b-a1f1-d979fa65ddaf
  description: |
    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
  supported_platforms:
@@ -1343,6 +1345,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Abusing MyComputer Disk Backup Path for Persistence
+  auto_generated_guid: 599f3b5c-0323-44ed-bb63-4551623bf675
  description: |
    Replacing the registry settings with custom executable will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity
  supported_platforms:
@@ -1647,3 +1647,6 @@ b051b3c0-66e7-4a81-916d-e6383bd3a669
 4469192c-2d2d-4a3a-9758-1f31d937a92b
 e39b99e9-ce7f-4b24-9c88-0fbad069e6c6
 c691cee2-8d17-4395-b22f-00644c7f1c2d
+f2915249-4485-42e2-96b7-9bf34328d497
+3235aafe-b49d-451b-a1f1-d979fa65ddaf
+599f3b5c-0323-44ed-bb63-4551623bf675